What is the difference between 401 and 403?

A 401 means the request lacks valid authentication credentials, and the client may retry with credentials. A 403 means the server understood the request and the credentials but refuses to authorise it; re-authenticating will not help.

Why can 403 vs 404 be a security concern?

Returning 403 Forbidden confirms a resource exists but is off-limits, which leaks its existence to an attacker. For sensitive paths, many teams return 404 instead so unauthorised users cannot distinguish a hidden resource from a missing one.

Are 4xx and 5xx responses cached?

By default most error responses are not cached, but 404, 405, 410 and a few others are heuristically cacheable per RFC 9111 unless you send explicit Cache-Control headers. Always set Cache-Control on error responses you do not want stored.

Should I use 301 or 308 for a redirect?

Use 301 or 308 for permanent moves and 302 or 307 for temporary ones. The 307 and 308 codes guarantee the HTTP method is preserved, whereas historically 301 and 302 were sometimes rewritten to GET by clients.

Is this data fetched from a server?

No. The entire status-code table is bundled into the page, so lookups work instantly and offline with no network request.

HTTP Status Code Reference & Security Implications

HTTP status codes are the three-digit numbers a server returns to tell a client what happened to its request. Choosing the right one matters for correctness, caching and security — a misused 403 can leak the existence of hidden resources, and a 200 returned for an error breaks client retry logic. This reference explains each registered code with its correct use, common misuse, security implications and default caching behaviour, all bundled offline.

How it works

Status codes are grouped into five classes by their first digit:

1xx Informational — request received, continuing.
2xx Success — the request succeeded.
3xx Redirection — further action (usually a new URL) is needed.
4xx Client error — the request is malformed or unauthorised.
5xx Server error — the server failed to fulfil a valid request.

Type a number, a class like 4xx, or a keyword. The tool filters a bundled dataset and shows the reason phrase plus the notes that matter most when building or securing an API.

Security notes

Two codes deserve special care. Use 401 Unauthorized when no valid credentials were supplied and the client may retry after authenticating. Use 403 Forbidden when credentials are valid but authorisation is denied. For sensitive resources, returning 404 instead of 403 avoids confirming that a hidden path exists — a common information-disclosure hardening step.

Caching notes

Per RFC 9111, several status codes (200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 414, 451, 501) are heuristically cacheable even without explicit Cache-Control. If an error response should never be stored, send Cache-Control: no-store.